> PRINT_FLAG, FINGER_INFO, FINGER_TOPO_COORD, QUALITY, MATCHING_FINGER
> The values within there can be quite detailed and I’ve no reason to think that this isn’t indeed legitimate print data uniquely and biologically identifying the owner. You don’t get to reset that stuff once it’s been released into the wild!
That's one of the biggest dangers in using biometrics as a factor in authentication. Once it leaks (and keeping data safe is one of the hardest task in today's world) there is no changing, no resetting, it is out there and rendered useless at best or a vector for identity theft at worst.
I've wrote about this practice the other day. It's interesting to observe that when Apple announced Touch ID for example it was presented as something with improved security.
The biggest advantage of Touch ID is that people who never had a passcode on their phone now use it.
You have to consider the limitations it has as well. An attacker could potentially lift your fingerprints and use it to unlock your phone. But they only get five chances to fool the sensor before Touch ID disables itself, and they have to do their work within 48 hours of when you last entered your password.
As with all things security, the important question is what sort of threats your defending against. For the scenario where I lose my phone or I get mugged, Touch ID is fine. If I'm defending against police seizing it as evidence, it's probably fine. I'd be surprised if the police could move quickly enough to make the deadline. For police encounters I know about ahead of time (like passing through customs), it's easy to shut the phone off to temporarily disable Touch ID. The only scenario where it likely fails is a targeted attack by someone with sophistication, like if the FBI thinks I'm a terrorist, and I'm not particularly worried about defending against that.
Note that your six-digit PIN doesn't necessarily save you here either, although it would buy time. Whatever the FBI did to the infamous San Bernardino iPhone would probably work on yours in a longer but practical amount of time.
People often say that fingerprints are usernames, not passwords. I don't think that's very useful. A fingerprint doesn't fit inside the old username/password ideas, it's something different from both, with its own unique properties.
No, it's a username that is physically tied to the user. If I can get that data (fingerprint) then I don't need to go through the usual rigmarole of password hacking.
Fingerprints are literally "one factor auth".
Consider an example. Imagine if HN authenticated based only on the username. Could you get into my account? Now imagine if HN used fingerprint authentication. Would that make it harder?
The problem I see is using fingerprints which are unique to your person, unchangeable, and spread around us in a very liberal fashion as passwords.
Imagine for a second that the San Bernardino iPhone had used Touch ID, don't you find it highly plausible that the US government would be able to find a good fingerprint that could be used to unlock the phone? I guess they even had his body at hand so it would have been dead simple.
That is a very good observation and puts Touch ID in perspective. If you died today would you be ok with your family and/or friends being able to unlock your phone and go through all your personal data? Sure, there may be genuine reasons for them to do so but still, all your data will be at their fingertips and even if you "trust" that they'll limit themselves to only look for the relevant information to get your things in order they still have to sift through a lot data you may not want them to.
In other words, citation needed.
I can't find it now but not long after that another group found an even simpler method of printing out a fake print, I did find a much more recent attack based on just using a special conductive ink cartridge in a regular inkjet to directly print something on paper that would work. Bottom line is that it doesn't take a lot of fancy equipment, supplies, or skills to print a fake fingerprint that will fool TouchID.
As for "a photo derived from someones hands", I'm not sure what they meant but if you had a photo that could make out the ridges of someone's fingerprint then yeah absolutely.
I do trust Apple more than many other entities and as you say they don't have a database with fingerprints. Further the secure enclave is definitely a secure piece of engineering.
As evident by the linked article though the problem isn't Apple the problem is all the other databases that will have your fingerprints. As Troy says in the article
Once your fingerprints leak somehow there's no way to reset or change them. To me at least is seems like a really poor idea to use something with those properties as passwords.
A username can identify (but not authenticate) an individual, biometric data can do both, whereas a password is nothing by itself. It’s only meaningful in conjunction with an identifier as a shared secret in order to authenticate.
* PIN to unlock the phone, no Touch ID. Phone set to self-erase after x attempts.
* TouchID to only unlock 1Password. 30 char master password
* TouchID used for nothing else.
I would welcome any feedback if there is something that I have missed.
Leaking? Why do you need a leak? Just follow somebody and wait until he touches something, preferably a glass in a pub or something similar.
I am very worried with Brazil's push to require biometric fingerprits to vote, AND voting being mandatory...
Here's a list of documents you need to provide fingerprints, off the top of my head:
– National identity card (RG), mandatory for all citizens over 18 years of age;
– Military conscription certificate (CAM), mandatory for all male citizens over 18 years of age;
– Voting card (Título de Eleitor), mandatory for all citizens between 18 and 65 years of age, encouraged for all citizens over 16;
– Employment record book (Carteira de Trabalho), mandatory for any formal employment;
Also, as of at least three years ago in the state of Rio de Janeiro, some of these were already computerized.
If they already have fingerprints, and now fingerprints are suddenly required for voting, that makes election fraud easier for the government.
You cannot "hack" a piece of paper easily...
But with mandatory vote + mandatory fingerprint to vote, you just turn that database in a giant juicy target, an attacker can be sure that all voters will have fingerprints there.
This is intuitively appealing, but do biometrics really boil down to an exact number that we could hash like this? (Genuine questions; I don't know.) It seems more likely to me that biometric measurements would be considered to "match" when they're within particular tolerances. This is an operation you can perform on the original measurements, but not on hashes of those.
I switched my phone fingerprint to another finger for my phone as soon as I signed-up for a passport.
Better, if you don't leave the EU, you can use an identity card that doesn't have the fingerprint.
I was lucky enough to have an old passport that just spanned the period in which the fingerprint was stored centrally. Now I have an ID card, but one time in the future I will leave the EU, and then I have to get a password...
So a piece of plastic the bank gives you with mostly arbitrary numbers on it is better protected than your own fingerprints, which you're stuck with for life?
Ultimately, you still only have 10 fingers (general assumption), and not a large space like 30 char passwords.
Like, the output range of a convnet, or something.
I actually had to create five new data classes when
loading this breach, that is I’d never seen this
information in a breach before: Marital statuses,
Biometric data, Physical attributes, Family members'
Electoral enrollment status and place you live is usually public information. It should be to prevent vote fraud.
Without other ID, you give your passport details to every company that uses it for ID, every airline, even the bouncer at a bar. When you're travelling and don't have the local ID, you use it to get a sim card, bus pass, just about everything. It's not really secret.
As for the biometric data, what use would a malicious actor make of that? They can't impersonate you because authentication shouldn't be done with only reproducible biometric data. They could identify you if you're physically touching them, but then they can already see you in person.
Mother's middle name according to the article can usually be predicted by her parents names. Family history and names is also public data. Just ask the Mormon church which hoards it.
A free, fast emacs org-mode replacement which is easier to learn and lets you put the same thing in more than one place at the same time: "Atomic knowledge": http://onemodel.org .
Also, please expand on their comment re: the event helping a particular candidate. I don't understand how this incident favors / helps a particular candidate over another.
> There’s voting history against names (it appears to just be dates rather than the candidate voted for).
So, the data leaked was voter registration info. Actual votes were not in this database.
Other headlines would lead a reader to believe actual votes were leaked. For example, "Megabreach: 55 MILLION voters' details leaked in Philippines". Leaking votes alongside emails would be far more injurious than email addresses and family names.
Any leaked biometric data becomes unusable as an authenticator in the future.
You cannot do that, not because of the problems for those people, but because it would break trust in the system. It would become apparent how unsafe it is to keep fingerprints stored digitally in a central database. That would be a bigger problem, worldwide. People would demand to get rid of these databases, and I bet many intelligence services would not like that.
Are there any startups that are building tech allow end-to-end identity management systems? Seems like a huge market.
Basically my position is that I agree it's complex, but I believe possible to address the issue in a way that for all parties (individual,government,3rd-party) that more value is created and less risk exists; this applies universally in my opinion.
Any rate, unclear how responding to my question with questions addresses my question other than to assume that the lack of an answer means that there are no startups that address this issue; meaning any solution I've seen requires a central authority to be involved.
ginormous |jiˈnôrməs, jī-|
adjective informal, humorous
extremely large; enormous:
ORIGIN 1940s (originally military slang): blend of gigantic and enormous .
But in any case you don't need a data breach to get you fingerprint - it's probably right on the phone.
A fingerprint is the weakest form of security out there.